I have a problem with ssh host keys being automatically
generated(?). Our installation process looks like this:
1) Install IdM server and clients.
2) Generate ssh host keys for all machines in a special way
because of a requirement about available entropy that is not
3) Distribute the new keys to all machines but do not install
them. (Any required known_hosts files are also generated
and distributed). and known_hosts files
4) Reboot all machines at the same time.
5) During reboot, a script installs the new keys and deletes the
old ones (rsa and ecdsa format).
However, host key files in rsa and ecdsa format keep reappearing.
I'm not exactly sure when this happens. Does it have something to
do with sssd?
--
So, we need to disable
* automatic generation of ssh keys,
* restoring them from backups (in case some component does that).
Caching the keys in sssd would be in order if we can make sure
that sssd does not cache the old keys at any time. Running
"sss_cache -H" does not seem to affect the cached known_hosts file
in /var/lib though.
I understand that IdM can manage host keys, but we don't want to
use that feature because of the underlying system requirements,
and we'll never add new machines anyway.
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
